How hackers allegedly stole “unlimited” amounts of cash from banks in just hours

Feds accuse eight men of participating in heists that netted $45 million.

Federal authorities have accused eight men of participating in 21st-Century Bank heists that netted a whopping $45 million by hacking into payment systems and eliminating withdrawal limits placed on prepaid debit cards.

The eight men formed the New York-based cell of an international crime ring that organized and executed the hacks and then used fraudulent payment cards in dozens of countries to withdraw the loot from automated teller machines, federal prosecutors alleged in court papers unsealed Thursday. In a matter of hours on two separate occasions, the eight defendants and their confederates withdrew about $2.8 million from New York City ATMs alone. At the same times, "cashing crews" in cities in at least 26 countries withdrew more than $40 million in a similar fashion.

Prosecutors have labeled this type of heist an "unlimited operation" because it systematically removes the withdrawal limits normally placed on debit card accounts. These restrictions work as a safety mechanism that caps the amount of loss that banks normally face when something goes wrong. The operation removed the limits by hacking into two companies that process online payments for prepaid MasterCard debit card accounts issued by two banks—the National Bank of Ras Al-Khaimah PSC in the United Arab Emirates and the Bank of Muscat in Oman—according to an indictment filed in federal court in the Eastern District of New York. Prosecutors didn't identify the payment processors except to say one was in India and the other in the United States.

The first heist, which occurred on December 22 and targeted debit cards issued by the UAE bank, dispatched carders in about 20 countries that rapidly withdrew funds in more than 4,500 ATM transactions. In New York City alone, prosecutors said, the defendants and their co-conspirators withdrew almost $400,000 in some 750 fraudulent transactions from more than 140 different ATM locations. It took just two hours and 25 minutes for the New York cell to complete, prosecutors said. A second operation commenced on February 19 withdrew about $40 million in 36,000 transactions worldwide. In just 10 hours, the New York group allegedly withdrew about $2.4 million in almost 3,000 ATM transactions.

The operation exploited weaknesses in the way banks and payment processors handle prepaid debit cards, which usually are loaded with a finite amount of funds. These cards are often used by employers in place of paychecks and by charitable organizations to distribute disaster assistance. Once the accounts were hacked and the limits removed from accounts, cards were cloned and sent to cell groups throughout the world to make fraudulent withdrawals. Additional details of the operation are available in a press release outlining the charges.

The defendants—seven who are in custody and one who was reportedly murdered two weeks ago in the Dominican Republic—allegedly used the proceeds to buy expensive watches, cars, and other luxury items. The surviving defendants have been charged variously with conspiracy to commit access device fraud, money laundering conspiracy, and money laundering. If convicted, they each face a maximum sentence of 10 years in prison for each money-laundering charge and seven and a half years on conspiracy to commit access device fraud.

Promoted Comments

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

My guess is that by cloning the cards they were able to increase the amount of money they could retrieve from multiple ATM's at the same time. It's multiplying the amount of cash they could grab by increasing the amount of simultaneous withdrawals.

Not to infinity +1 you, but why not clone the newly minted unlimited card to allow simultaneous withdrawals?

I do payment processing for a living, and it may be significantly more difficult to create a new card than to modify an existing card. Card creation is quite involved with interfaces to different systems. You may create a card on a web app, and inserted into a sql database, imported into an ancient COBOL based banking system, and then output to an actual authroization database.

It may be more difficult to create a card, because you have to go through this flow to create the card. To modify an existing card, all you need to do is modify the card item in teh authorization database. One location. Maybe that is why.

It's hard to have any sympathy for banks these days, considering the thousands of ways they rip off consumers (all completely legal, of course.) For one example, the pre-paid debit cards in lieu of a paycheck (as mentioned in the article) let the banks to skim fees from the employees' wages.

Still, good job by the feds (FBI?) on catching these guys. I would be curious to read about how they busted them.

I don't get why you would stage an operation like this in NYC if you live here and intended to stay here. Considering the scale of the operation I would anticipate a flight to a non-extradition country would be among the first purchases.

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

Could be that to issue whole new cards, additional checks are in place or a third party has to get involved. Increasing, or disabling, the limit on existing cards however may not go noticed until the accounting happens and someone goes "hey, wait a minute".

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

My guess is that by cloning the cards they were able to increase the amount of money they could retrieve from multiple ATM's at the same time. It's multiplying the amount of cash they could grab by increasing the amount of simultaneous withdrawals.

If they were US-based, would this have been FDIC-ensured? That is, would the US taxpayers be on the hook for the banks' inept security?

I was always under the impression that the FDIC only insures the depositors of a bank, not the banks themselves. I.e. by opening an account, you are automatically enrolled in this insurance where, should the bank go belly up, you are still guaranteed your deposit back (up to a limit which used to be $100K, but may be more now). If the bank screws up and looses a bunch of money, too bad for them (of course, we saw that that isn't really the case either).

FWIW, this is my understanding and I have not taken the time to research it any further. Of course, I DO seem to have time to read this article and comment... sigh. I'm a bad Arisian.

Edit: Ok, did my due diligence. Deposits are secured up to $250K, and the mission of the FDIC is to increase consumer confidence in the banks. So I think I was correct above.

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

My guess is that by cloning the cards they were able to increase the amount of money they could retrieve from multiple ATM's at the same time. It's multiplying the amount of cash they could grab by increasing the amount of simultaneous withdrawals.

Not to infinity +1 you, but why not clone the newly minted unlimited card to allow simultaneous withdrawals?

The defendants… allegedly used the proceeds to buy expensive watches, cars, and other luxury items.

Don't these guys have any imagination? Think of all the truly interesting things one could do with big bags of cash, instead of just keeping up with all the other nouveau riche crooks.

I agree. Why is the first thought to always just blow it on non-returnable investments. I mean if you do happen to get away with it, it would seem more logical to try and invest the bulk of the loot in something that is legit in hopes that it is successful instead of running out of money and you taking the chance to do it all over again.

It's entirely possible that the systems in question had some braindamage where the card's limit was encoded on the card itself, so all the crooks had to do was rewrite the limit bits on the cards to make all of the transactions. Then they had to blow through them all real quick before the people back in the banks or processing center noticed and put a halt on the cards. A lot of times news stories will say that the crooks "hacked into the system" when nothing even close to that actually happened.

I don't get why you would stage an operation like this in NYC if you live here and intended to stay here. Considering the scale of the operation I would anticipate a flight to a non-extradition country would be among the first purchases.

It would be interesting to know how much of the money actually landed in the hands of these guys.

Anyway, to just disappear into reasonable freedom and luxury for the rest of your life requires a way of pragmatic and rational thinking that often leads to the conclusion that "reasonable freedom and luxury for the rest of your life" may be achieved better by staying out of prison and doing some useful work to begin with.

Or in other words: They started out to do something rather risky and stupid and then continued to do stupid and risky things. Hardly surprising actually.

Also, how old are these guys? If you're young many things look different.

It's entirely possible that the systems in question had some braindamage where the card's limit was encoded on the card itself, so all the crooks had to do was rewrite the limit bits on the cards to make all of the transactions. Then they had to blow through them all real quick before the people back in the banks or processing center noticed and put a halt on the cards. A lot of times news stories will say that the crooks "hacked into the system" when nothing even close to that actually happened.

This time it is most likely hacking seeing that the story specifically mentions two payment processors that worked for two banks. Why go through all that trouble if you can just rewrite the cards.

I don't get why you would stage an operation like this in NYC if you live here and intended to stay here. Considering the scale of the operation I would anticipate a flight to a non-extradition country would be among the first purchases.

It would be interesting to know how much of the money actually landed in the hands of these guys.

Anyway, to just disappear into reasonable freedom and luxury for the rest of your life requires a way of pragmatic and rational thinking that often leads to the conclusion that "reasonable freedom and luxury for the rest of your life" may be achieved better by staying out of prison and doing some useful work to begin with.

Or in other words: They started out to do something rather risky and stupid and then continued to do stupid and risky things. Hardly surprising actually.

Also, how old are these guys? If you're young many things look different.

Even if they split the whole $45 equally that isn't live out your life on an island paradise money (especially if they're young, retirement is expensive!) but it is enough to move somewhere warm, buy a bar and live reasonably well and having a pretty good time. I don't generally take even high tech criminals as wholly pragmatic types.

It's entirely possible that the systems in question had some braindamage where the card's limit was encoded on the card itself, so all the crooks had to do was rewrite the limit bits on the cards to make all of the transactions. Then they had to blow through them all real quick before the people back in the banks or processing center noticed and put a halt on the cards. A lot of times news stories will say that the crooks "hacked into the system" when nothing even close to that actually happened.

This time it is most likely hacking seeing that the story specifically mentions two payment processors that worked for two banks. Why go through all that trouble if you can just rewrite the cards.

The story made it sound like the guys only did it twice. Once with one bank, and after the second time with a totally different payment processor and bank, they got busted.

But how were they caught?Were they drawing attention to themselves by spending like idiots (Watches and cars) or was there more to it?

Ok. You have identical cards/pins. Let's say you have 80 cards, each with $1000 prepaid on the card. You get 8 people and hand each 10 cards.

The person then goes to an ATM. Then, they insert the card and withdraw $1000. Get that card back. Enter it again. It takes a certain amount of time for the ATM company to process the withdrawal, then forward to the bank. So, you keep going until it says insufficient funds. Then, on to the next card. (Hence the reason they selected bizarre banks. There was no chance this would have worked if they had selected WellsFargo and tried withdrawing from a WellsFargo account. You'd need to go to a non-affiliated ATM, such as those from Cirrus, then hammer it).

Its an interesting way of doing this. One of the big problems is having a valid card/pin. A lot of money is spent on getting "good" cards which have valid info. I would suspect that whoever thought of this seeded these cards, so they knew all the correct info. With the hack, they could easily keep withdrawing like there was no tomorrow. The first was a test of the system. The second was a serious run.

They got caught because ATM's generally have cameras. The transaction time/location would have been logged. It would have been easy to track the people from there. My guess is that these guys have no idea who is behind this. They could have either been contract, or bottom-of-food chain types.

(If I were behind this, I would have done that first run, then advertized the scheme/cards. Pay X number of dollars upfront and whatever they pull above that is pure profit).

It is quite possible this was a completely different crew for each run.

Even if they split the whole $45 equally that isn't live out your life on an island paradise money (especially if they're young, retirement is expensive!) but it is enough to move somewhere warm, buy a bar and live reasonably well and having a pretty good time. I don't generally take even high tech criminals as wholly pragmatic types.

Depends on your standard of living and number of ways divided. $45M 8 ways is about $75k per year for 75 years. Even in the US, if you somehow laundered it and claimed it as normal income, you'd come out about $55k/year.

I'm pretty sure one could live quite comfortably in much of, say, south America on either value without having to live in a third-world environment.

I don't follow this story completely. From where did they pilfer all the pre-paid card info/PINs?

Anyone can get a pre-paid card, there are stacks of them at every check out lane at Walmart. I'm sure you can get them from any bank just as easily. You only need one for this, and it doesn't need to be pilfered. They made copies so that as many people as possible could hit as many ATMs as possible in a small time frame.

If they had that kind of deep level access, why did they need to clone apparently legitimate cards? I wonder if they could have created their own, set it to be unlimited, and then wipe any trace of the transaction when it was done.

My guess is that by cloning the cards they were able to increase the amount of money they could retrieve from multiple ATM's at the same time. It's multiplying the amount of cash they could grab by increasing the amount of simultaneous withdrawals.

Not to infinity +1 you, but why not clone the newly minted unlimited card to allow simultaneous withdrawals?

I do payment processing for a living, and it may be significantly more difficult to create a new card than to modify an existing card. Card creation is quite involved with interfaces to different systems. You may create a card on a web app, and inserted into a sql database, imported into an ancient COBOL based banking system, and then output to an actual authroization database.

It may be more difficult to create a card, because you have to go through this flow to create the card. To modify an existing card, all you need to do is modify the card item in teh authorization database. One location. Maybe that is why.

I don't follow this story completely. From where did they pilfer all the pre-paid card info/PINs?

Anyone can get a pre-paid card, there are stacks of them at every check out lane at Walmart. I'm sure you can get them from any bank just as easily. You only need one for this, and it doesn't need to be pilfered. They made copies so that as many people as possible could hit as many ATMs as possible in a small time frame.

yeah but don't you have to activate them? and these guys removed the withdrawal limits, i didn't read anything about the balances on the cards

If they were US-based, would this have been FDIC-ensured? That is, would the US taxpayers be on the hook for the banks' inept security?

Um, you've got the wrong program. FDIC insures depositors (Federal Deposit Insurance Corporation) against bank screw-ups. IE, if you have a savings account at Bank A, and Bank A goes insolvent investing in whatever, the FDIC reimburses you as a depositor (up to a limit of $250,000 per ownership category), because otherwise, your only recourse would be to sue the bank along with all the other debt holders to recover a portion of your losses (and leaving you potentially in very difficult circumstances in the meantime).

The FDIC, while government owned (It's a corporation owned by the US government), is also not taxpayer funded, it's paid through fees paid the banks (and therefore ultimately their customers).

This is pedantic, yes, but it annoys me to see people blame the wrong government programs. The FDIC is most emphatically not TARP, or any other bailout program.

Money laundering? What money laundering? Theft, sure, but money laundering? That's when you take money from a crime and launder it through a legitimate business to make it look like legitimate money. I see nothing in the story that these guys did that, they just stole it and spent it.

But how were they caught?Were they drawing attention to themselves by spending like idiots (Watches and cars) or was there more to it?

From the AP:

Quote:

One of the suspects was caught on surveillance cameras, his backpack increasingly loaded down with cash, authorities said. Others took photos of themselves with giant wads of bills as they made their way up and down Manhattan.

But how were they caught?Were they drawing attention to themselves by spending like idiots (Watches and cars) or was there more to it?

...

They got caught because ATM's generally have cameras. The transaction time/location would have been logged. It would have been easy to track the people from there. My guess is that these guys have no idea who is behind this. They could have either been contract, or bottom-of-food chain types.

(If I were behind this, I would have done that first run, then advertized the scheme/cards. Pay X number of dollars upfront and whatever they pull above that is pure profit).

If I were to be 'murdered' and not prosecuted DR would be one place to do it.